CVE-2026-40338 - Vulnerability Details

- libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c

Description

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.

Published: 2026-04-17

Score: 5.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from the libgphoto2 camera library, specifically the ptp_unpack_Sony_DPD() routine in ptp-pack.c. In versions up to 2.5.33 the function reads a 2‑byte enumeration count without first verifying that the buffer contains two bytes. This unchecked read can expose arbitrary memory contents from the host process that handles camera communication, constituting a classic out-of-bounds read flaw.

Affected Systems

Any installation of libgphoto2 for the gphoto vendor with a version 2.5.33 or earlier is affected. Software that depends on this library and communicates with Sony cameras via the PTP_DPFF_Enumeration content will also be vulnerable. Public releases newer than 2.5.33 contain the fix and are not impacted.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity threat. Exploitation would require an attacker to supply crafted PTP commands to the library, typically by interacting with a connected camera device or through a vulnerable camera control application. Because the flaw is an out-of-bounds read rather than a format‑string or privilege‑escalation bug, the risk of arbitrary code execution is low, but the potential to leak sensitive data is present. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting a moderate but not imminent exploitation risk. The likely attack vector is a local or device-based attack where the attacker can send compromised data to the library.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gphoto

libgphoto2

affected

Version	Status	Constraints
`<= 2.5.33`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade libgphoto2 to the latest release or apply the patch commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 to eliminate the unchecked buffer read.
Ensure that all dependent software references the updated library and restart services to load the patched binary.
If an immediate update is not feasible, restrict access to camera devices by limiting permissions to trusted users or disabling PTP features until the library can be updated.

Generated by OpenCVE AI on April 18, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845
https://github.com/gphoto/libgphoto2/security/advisories/GHSA-2hwp-w84q-27hf

History

Sat, 18 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.
Title		libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c
Weaknesses		CWE-125
References		https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845 https://github.com/gphoto/libgphoto2/security/advisories/GHSA-2hwp-w84q-27hf
Metrics		cvssV3_1 `{'score': 5.2, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T23:40:10.097Z

Updated: 2026-04-17T23:40:10.097Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40338

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-18T00:16:37.810

Modified: 2026-04-18T00:16:37.810

Link: CVE-2026-40338

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object